Tuesday, March 19, 2013

Before his sentencing hearing, Andrew Auernheimer, who was convicted on one of charge of conspiracy under the Computer Fraud and Abuse Act (CFAA) and one charge of fraud involving personal information, declared in a statement that he was going to jail for “arithmetic.”

Twenty-six year-old security researcher, known as “Weev,” was sentenced to forty-one months in prison, three years of supervised release and ordered pay $73,000 in restitution to AT&T.

The Verge reported that prosecutors had cited a Reddit chat he did on Sunday night when justifying the length of his sentencing. In other words, speech he engaged in where he showed no remorse for his action was used against him.

During proceedings, Auernheimer tried to use a tablet. He was cuffed by agents. He left the courtroom and returned in shackles five minutes later.

The Electronic Frontier Foundation announced the digital rights organization would be supporting an appeal before the Third Circuit Court of Appeals. “Weev is facing more than three years in prison because he pointed out that a company failed to protect its users’ data, even though his actions didn’t harm anyone,” EFF Senior Staff Attorney Marcia Hofmann said in a press release. “The punishments for computer crimes are seriously off-kilter, and Congress needs to fix them.”

The appeal indicated that EFF, along with other attorneys, would be making his case a part of a legal effort to challenge CFAA. EFF Staff Attorney Hanni Fakhoury said Weev’s case shows how “problematic” the CFAA happens to be.

The CFAA has come under scrutiny and faced calls for reform since Aaron Swartz, who was being zealously prosecuted under the law for downloading documents off an academic database, committed suicide in January.

Auernheimer spoke to Mashable. In the interview he recounts how, in June 2010, there was an AT&T public server that he discovered was exposing customers’ personal data.

“There was a URL in this web server with a number at the end,” he explains. “And, if you would add 1 to this number, you would see the next iPad 3G user email address. I figured it was egregiously negligent for AT&T to be publishing a complete target list of their customers.”

According to Auernheimer, AT&T had a chance to address this security flaw in this public application programming interface (API), which is defined as a group of routines, protocols and tools for building software applications. Auerneheimer then sampled data from the API, aggregated it and gave the data to a journalist because he felt “if a company puts you at risk you deserve to know about it and they deserve to be embarrassed.”

He only waited a few hours before handing over data, but Auernheimer said he believed there was a limited amount of time before AT&T would have issued an injunction so the company’s customers would not find out about the flaw. Also, it was out on the open Internet. He is a security researcher and believes, “You don’t have the right to say you can’t cite this thing you published,” and, “You don’t have the right to cry later about how people use it to criticize you.”